Term
| ___ is the policy driven control of access to systems data and dialogues |
|
Definition
|
|
Term
| ___ is central to access control |
|
Definition
|
|
Term
| access controls have three functions, what are they. |
|
Definition
authentication: identifying individuals claiming to have permission to a resource
authorizations: specific permissions that a particular authenticated user should have
auditing: collecting information about an individual's activities in log files |
|
|
Term
| to be authenticated, you must show verifier credentials that are based on one of the following |
|
Definition
what you know (password/key)
what you have (physical key/smart card)
who you are (finger print)
what you know (how to pronounce a passphrase) |
|
|
Term
| two different forms of authentication must be used for access is ___ |
|
Definition
| two factor authentication |
|
|
Term
| uses more than two forms of authentication for access |
|
Definition
| multifactor authentication |
|
|
Term
| ___ and ___ can negate the strength of two factor authentication |
|
Definition
trojan horses (can send transactions after a user has already authenticated them self)
man in the middle attack (user logs into a fake banking site, the fake site steals the info as the go betweeen) |
|
|
Term
| ___ is based on organizational roles rather than individual people |
|
Definition
| role based access control RBAC |
|
|
Term
| With RBAC, creating access control rules is ___ than assigning control rules individually. It also lessens the opportunity for ___. |
|
Definition
|
|
Term
| in ___ departments have no ability to alter access control set by higher authorities. this is used by the ___ and ___ |
|
Definition
mandatory access control
military
national security organizations |
|
|
Term
| ___ is when the department has discretion over giving access to individuals within policy standards set by higher authorities |
|
Definition
| discretionary access control |
|
|
Term
| ___ is a system that rates documents by sensitivity (Secret, TS, TS/SCI) |
|
Definition
|
|
Term
| ISO/IEC 27002 security clause 9 covers ___ |
|
Definition
| physical and environmental security |
|
|
Term
| Security clause 9 covers 2 categories. what are they. |
|
Definition
9.1 = Secure areas which covers securing physical areas (buildings, equipment rooms, office areas, etc)
9.2 = equipment security |
|
|
Term
| discuss the controls of ISO/IEC 27002 9.1 |
|
Definition
securing building's physical perimeter
implementing physical entry controls
access should be justified authorized logged and monitored
securing public access, delivery and loading areas
securing offices, rooms and facilities
protecting against external and environmental threats
creating rules for working in secure areas
limit unsupervised work, forbid data recording devices |
|
|
Term
| discuss the controls of ISO/IEC 27002 9.2 |
|
Definition
equipment siting and protection (siting means placing)
supporting utilities (power, water, HVAC)
UPS, generators, and frequent testing
cabling security (conduits, underground wiring)
security during off site equipment maintenance
permission fro removal of sensitive information if taken off site
security of equipment off premises
constant attendance except when locked securely
insurance
Secure disposal or reuse of equipment
removal of all sensitive information
rules for the removal of property |
|
|
Term
| ___ is when an authorized user opens a door with an access device and an intruder follows through |
|
Definition
|
|
Term
| ISO/IEC 27002 refers to monitoring. What are some remote monitoring methods and issues |
|
Definition
CCTV: use digital not tape, resolution, storage, time for storing
motion detection: records feed when tripped, can be programmed for certain types of motion. |
|
|
Term
| ___ is when an attacker goes through a firm's trash bins looking for documents, tapes, or other media |
|
Definition
|
|
Term
| ___ is the most common access control |
|
Definition
|
|
Term
| Using an account name, which isn't secret, and its secret password is ___ |
|
Definition
|
|
Term
| a way to exploit a machine with physical access is to copy the password file and crack it later. This is less ___ than taking the time to run a ___ on a server in person. |
|
Definition
obtrusive
password-cracking program |
|
|
Term
| ___ manage multiple passwords automatically |
|
Definition
| password management programs |
|
|
Term
| What are some good password policies |
|
Definition
not using the same password at multiple sites
password duration
shared password (makes auditing impossible)
disabling passwords that are no longer valid
lost passwords
opportunity for social engineering
automated password reset
can be beaten with some research
password policies call for passwords to be long and complex
8+ characters long
change of case, not at beginning
digit 0-9, not at the end
special character, not at the end
new passwords every 90 days
store password as hashes |
|
|
Term
| what are shared passwords bad |
|
Definition
rarely changed
because "everyone knows it" it is more likely to be shared
auditing is impossible |
|
|
Term
| how do you combat shared passwords |
|
Definition
| create group lists from individual accounts |
|
|
Term
| why are many passwords in corporations inappropriate? |
|
Definition
person left the firm
moved to a different position
account was for a temporary contractor |
|
|
Term
| what % of passwords are inappropriate? |
|
Definition
|
|
Term
| ___ prompts roughly 1/4 of all help desk calls |
|
Definition
|
|
Term
| ___ is potentially the weakest link in the use of passwords, especially the self service reset |
|
Definition
|
|
Term
| ___ are a primary target for hackers |
|
Definition
|
|
Term
| operating systems automatically hash and store passwords, ___ and ___ don't |
|
Definition
online applications
e-commerce sites |
|
|
Term
| ___ is a plastic card that usually is the size of a credit card and is used in a reader for access |
|
Definition
|
|
Term
| ___ looks like a magnetic stripe card but has a built in microprocessor and memory. |
|
Definition
|
|
Term
| a problem with access cards and smart cards is the cost and availability of the ___ |
|
Definition
|
|
Term
| an authentication ___ represents the person wishing to be authenticated |
|
Definition
|
|
Term
| a ___ is a small device with a display that has a number that changes frequently. |
|
Definition
|
|
Term
| a ___ is a small device that plugs into a computer's USB port to identify the owner |
|
Definition
|
|
Term
| an alternative to tokens and cards is ___. |
|
Definition
|
|
Term
| ___ is based on biological measurements |
|
Definition
|
|
Term
| to be enrolled in a biometric system, there are three steps to go through. what are the |
|
Definition
1. Enrollment Data:reader scans the person's bioetric data
2. Key Features: reader then processes the scan to extract key features
3. Template: reader sends key feature information to the database which stores it as a template |
|
|
Term
| Biometric readers processes ___ information to create key features. These key features become the ___ |
|
Definition
supplicant scanning
user access data |
|
|
Term
___ refers to the accuracy when the supplicant is not trying to deceive the system.
Whereas, ___ is the likelihood that an impostor will be able to deceive the system if he or she tries. |
|
Definition
|
|
Term
___ means that the person is matched to a particular template
___ is a match to a template that should not have been made
the rate of acceptances as a percentage of total access attempts is called ___ |
|
Definition
acceptance
false acceptance
false acceptance rate (FAR) |
|
|
Term
___ is when the supplicant is incorrectly rejected as a match to a template when they should be accepted.
___ is the probability that the system will reject a person who should be matched to a template. |
|
Definition
False Rejection
False rejection rate (FRR) |
|
|
Term
| what are the uses for biometrics |
|
Definition
verification
identification
watch lists |
|
|
Term
| ___ is when a supplicant claims to be a particular person and the challenge is to measure the supplicant's biometric access data against the template of the person they claim to be. |
|
Definition
|
|
Term
| ___: the supplicant doesn't claim to be a particular person. it is the job of the system to identify the supplicant. |
|
Definition
|
|
Term
| in identification, the supplicant's biometric access data is matched against: |
|
Definition
| everyone's template that is stored in the system |
|
|
Term
| ___ identifies a person as being a member of a group. |
|
Definition
|
|
Term
| ___ is when an attacker deliberately attempts to fool the biometric system |
|
Definition
|
|
Term
| ___ is a well developed and inexpensive biometric technology. |
|
Definition
|
|
Term
| a ___ is the difference between the scan's key features and template. if the error is smaller than a value added the ___, the supplicant is accepted as a match |
|
Definition
match index
decision criterion |
|
|
Term
| ___ is an invisible print left on a glass or other object |
|
Definition
|
|
Term
| ___ is the most precise form of biometric authentication with very low FAR |
|
Definition
|
|
Term
| ___ is useful for door access control. However, it is highly sensitive to lighting differences between the stored image and real life scan |
|
Definition
|
|
Term
| the major benefit o face recognition is it can be used ___ |
|
Definition
|
|
Term
| ___ is easily deceived by recordings and there are high FRR |
|
Definition
|
|
Term
| what are the most widely used types of biometric authentication? which one is dominant? |
|
Definition
fingerprint, iris, face and hand geometry
fingerprint |
|
|
Term
| ___ is accepting public keys and the providing of new digital certificates to users |
|
Definition
|
|
Term
| ___ states unless individuals are carefully vetted before being allowed into the system, impostors can enroll through social engineering |
|
Definition
| prime authentication problem |
|
|
Term
| ___ means each person should only get the permissions that he or she absolutely needs |
|
Definition
| principle of least permission |
|
|
Term
| Single Sign On is a good long term objective, however ___ sign on is all an organization can accomplis |
|
Definition
|
|
Term
| in ___ an employee can log in once and receive service from several servers but not all of them |
|
Definition
|
|
Term
| ___ are central repositories for information about people, equipment, software and databases |
|
Definition
|
|
Term
| authentication servers communicate with directory servers using the ___ |
|
Definition
| LIghtweight Directory Access Protocol LDAP |
|
|
Term
| companies usually divide their resources into multiple ___ |
|
Definition
|
|
Term
| Domain X has a single ___ server which controls the resources in the domain |
|
Definition
|
|
Term
| Domain Y has Two domain controllers. what are they |
|
Definition
|
|
Term
| ___ means that one directory server will accept information from another |
|
Definition
|
|
Term
| ___ gets the directory servers to exchange information and to synchronize services in a variety of ways |
|
Definition
|
|
Term
| when talking in-between companies, you use ___ |
|
Definition
| federated identity management |
|
|
Term
| the dominant standard for sending security assertions today is the ___ |
|
Definition
| security assertion markup language SAML |
|
|
Term
| ___ is the policy based management of all information required for access to corporate systems by people machines programs or other resourcces |
|
Definition
|
|
Term
| is a system where the user authenticates them self to the identity management server once |
|
Definition
|
|
Term
| Identity management consists of: |
|
Definition
initial credential checking
defining identities
trust relationships
provisioning
decentralization
self service functions |
|
|
